# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. raptor = { # The name of the log format log.format.format_label = "Raptor Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[A-Z][a-z][a-z] [0-9 ][0-9] [0-9 ][0-9]:[0-9][0-9]:[0-9][0-9][0-9.]* [^ ]* [a-z0-9]*[[0-9]*]: [0-9]* " # The format of dates and times in this log log.format.date_format = "mmm dd" log.format.time_format = "hh:mm:ss" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time duration = { label = "$lang_stats.field_labels.duration" type = "hierarchical" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # duration microseconds = { label = "$lang_stats.field_labels.microseconds" type = "flat" index = 0 subindex = 0 } # microseconds server = { label = "$lang_stats.field_labels.server" type = "flat" index = 0 subindex = 0 } # server proxy = { label = "$lang_stats.field_labels.proxy" type = "flat" index = 0 subindex = 0 } # proxy user = { label = "$lang_stats.field_labels.user" type = "flat" index = 0 subindex = 0 } # user code = { label = "$lang_stats.field_labels.code" type = "flat" index = 0 subindex = 0 } # code id = { label = "$lang_stats.field_labels.id" type = "flat" index = 0 subindex = 0 } # id rcvd = { label = "$lang_stats.field_labels.rcvd" type = "size" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # rcvd dst = { label = "$lang_stats.field_labels.dst" type = "flat" index = 0 subindex = 0 } # dst src = { label = "$lang_stats.field_labels.src" type = "flat" index = 0 subindex = 0 } # src source_ip = { label = "$lang_stats.field_labels.source_ip" type = "flat" index = 0 subindex = 0 } # source_ip source_port = { label = "$lang_stats.field_labels.source_port" type = "flat" index = 0 subindex = 0 } # source_port srcif = { label = "$lang_stats.field_labels.srcif" type = "flat" index = 0 subindex = 0 } # srcif destination_ip = { label = "$lang_stats.field_labels.destination_ip" type = "flat" index = 0 subindex = 0 } # destination_ip destination_port = { label = "$lang_stats.field_labels.destination_port" type = "flat" index = 0 subindex = 0 } # destination_port dstif = { label = "$lang_stats.field_labels.dstif" type = "flat" index = 0 subindex = 0 } # dstif op = { label = "$lang_stats.field_labels.op" type = "flat" index = 0 subindex = 0 } # op arg = { label = "$lang_stats.field_labels.arg" type = "page" index = 0 subindex = 0 hierarchy_dividers = "/?" left_to_right = true leading_divider = "false" } # arg result = { label = "$lang_stats.field_labels.result" type = "flat" index = 0 subindex = 0 } # result proto = { label = "$lang_stats.field_labels.proto" type = "flat" index = 0 subindex = 0 } # proto rule = { label = "$lang_stats.field_labels.rule" type = "flat" index = 0 subindex = 0 } # rule } # log.fields # # Log Parsing Filters log.parsing_filters = { # Parse out the date 1 = { label = "1" comment = "" value = "collect_fields_using_regexp('^()(... [0-9 ][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])([0-9.]* )([^ ]*) ([-a-z]*)[^:]*: ([0-9]*)', '*KEY*,date,time,microseconds,server,proxy,code')" } # 1 # Parse out the space-separated, =-divided variables 2 = { label = "2" comment = "" value = "collect_listed_fields_using_regexp('^()... [0-9 ][0-9] [0-9:.]* [^ ]* [^:]*: [0-9]* Statistics: (.*)$', ' ', '=', '')" } # 2 # Accept this log entry 3 = { label = "3" comment = "" value = "accept_collected_entry_using_regexp('^()', false)" } # 3 # Accept a collected field when there is a "Statistics:" line # do_b # "" "" "" "" "" # accept_collected_entry_regexp " Statistics: " "" "" "" # goto_next_filter "" "" "" "" # "" } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day # src = { # label = "$lang_stats.field_labels.src" # log_field = "src" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # src source_ip = { label = "$lang_stats.field_labels.source_ip" log_field = "source_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_ip source_port = { label = "$lang_stats.field_labels.source_port" log_field = "source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_port # dst = { # label = "$lang_stats.field_labels.dst" # log_field = "dst" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # dst destination_ip = { label = "$lang_stats.field_labels.destination_ip" log_field = "destination_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_ip destination_port = { label = "$lang_stats.field_labels.destination_port" log_field = "destination_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_port server = { label = "$lang_stats.field_labels.server" log_field = "server" type = "string" suppress_top = 0 suppress_bottom = 2 } # server proxy = { label = "$lang_stats.field_labels.proxy" log_field = "proxy" type = "string" suppress_top = 0 suppress_bottom = 2 } # proxy user = { label = "$lang_stats.field_labels.user" log_field = "user" type = "string" suppress_top = 0 suppress_bottom = 2 } # user arg = { label = "$lang_stats.field_labels.arg" log_field = "arg" type = "string" suppress_top = 1 suppress_bottom = 3 } # arg op = { label = "$lang_stats.field_labels.op" log_field = "op" type = "string" suppress_top = 0 suppress_bottom = 2 } # op id = { label = "$lang_stats.field_labels.id" log_field = "id" type = "string" suppress_top = 0 suppress_bottom = 2 } # id proto = { label = "$lang_stats.field_labels.proto" log_field = "proto" type = "string" suppress_top = 0 suppress_bottom = 2 } # proto result = { label = "$lang_stats.field_labels.result" log_field = "result" type = "string" suppress_top = 0 suppress_bottom = 2 } # result rule = { label = "$lang_stats.field_labels.rule" log_field = "rule" type = "string" suppress_top = 0 suppress_bottom = 2 } # rule code = { label = "$lang_stats.field_labels.code" log_field = "code" type = "string" suppress_top = 0 suppress_bottom = 2 } # code } # database.fields # Log Filters log.filters = { # Convert the code field to English 1 = "convert_field_map('code', '101->Information/Raptor Network Security Management System starting up|102->Information/Shutdown command received|103->Information/Closing connection|104->Information/Re-read of new config file successful|105->Information/Connection for incoming to outgoing|106->Information/Path to destination|107->Information/Closing log file|108->Information/Starting new log file|109->Information/Re-reading configuration file|110->Information/User authenticated|111->Information/FTP transfer|112->Information/Rule expire, re-scanning rules|113->Information/Received connection from mobile|115->Information/Remote management connection|116->Information/Remote management completed|117->Information/Daemon starting|118->Information/Daemon exiting|119->Information/Request did not complete successfully|120->Information/Application information|121->Information/Statistics|122->Information/Daemon listening on port|123->Information/NAT address mapping added|124->Information/NAT address mapping freed|125->Information/ISAKMP SA established with peer|126->Information/Protocol SA established with peer|127->Information/Connection request|128->Information/Finjan information|129->Information/Trace|201->Notice/Access denied for IP address|202->Notice/Access denied for user|203->Notice/Password changed|204->Notice/Password added|208->Notice/VPN packet does not match any tunnel|209->Notice/VPN packet not valid for tunnel|211->Notice/VPN authentication failed|212->Notice/IP address not allowed on tunnel|213->Notice/IP packet not allowed on implicit tunnel|214->Notice/IP packet dropped|215->Notice/VPN packet does not match any defined tunnel|216->Notice/Access denied for IP address|217->Notice/Cannot lookup hostname|218->Notice/Invalid protocol|219->Notice/Cannot parse URL|220->Notice/Local web server cannot handle request|221->Notice/Possible spoofed IP packet dropped|222->Notice/VPN packet error|223->Notice/VPN packet error|224->Notice/User count is over limit|225->Notice/Possible spoofed IP packet dropped|226->Notice/IP packet dropped (restricted port)|227->Notice/VPN packet dropped|228->Notice/Cannot connect to destination|229->Notice/IP packet dropped (filter)|230->Notice/Packet not allowed on tunnel|231->Notice/Started on connection|232->Notice/Sending original packet|233->Notice/IP packet dropped (input packet filter)|234->Notice/Network error|235->Notice/NAT address allocation failed|236->Notice/Cannot lookup active Protocol SA record|237->Notice/Failed to connect to destination|238->Notice/Application notice|239->Notice/Sending TCP Reset, port not allowed|240->Notice/Bad TCP flags combination|301->Warning/Internal warning|303->Warning/Service is already running|304->Warning/Protocol mismatch|305->Warning/Ignoring multiple entry for service|306->Warning/Overlapping time range|307->Warning/Config file not from authorization machine|308->Warning/Cannot lookup hostname|309->Warning/Warning in config file|310->Warning/Cannot verify reverse address|311->Warning/Cannot verify ethernet address|312->Warning/Bogus response to hostname lookup|313->Warning/Access denied to user (bad password)|314->Warning/Warning in user file (blank user name)|315->Warning/Warning in user file (non-numeric user id)|316->Warning/Warning in user file (non-numeric group id)|317->Warning/Warning in user file (blank group name)|318->Warning/Warning in user file (non-numeric group id)|323->Warning/Readeagle already running|324->Warning/Basic and enhanced rule scan give different results|331->Warning/No rules for firewall in config file|333->Warning/Cannot open firewall\\'s file|334->Warning/Denied access to protocol command|335->Warning/VPN packet dropped (VPN is not enabled)|336->Warning/VPN packet dropped (invalid format or length)|337->Warning/Could not dequeue decapsulated VPN packet to IP input queue|338->Warning/VPN packet dropped (UDP disabled)|341->Warning/Child process stopped unexpectedly|342->Warning/Child process exited with an unexpected error|343->Warning/Software problem|344->Warning/Non-transparent call|345->Warning/Bad DNS information|347->Warning/Possible port scan detected|401->Error/Internal error|402->Error/Cannot get config file|403->Error/Cannot read config file|404->Error/Error in config file|405->Error/Re-read of config file failed|406->Error/Cannot open audio file|407->Error/Cannot open traceroute lockfile|408->Error/Not a valid audio file|409->Error/Audio file sample rate not available|410->Error/Filename encoding not available|411->Error/Unable to open notify schedule|412->Error/Unrecognized transport|413->Error/Have config file errors but continuing|415->Error/Syntax error in config file date/time string|416->Error/Syntax error in config file expression string|417->Error/Cannot connect to host port|418->Error/Cannot lookup host|419->Error/Bad server port|420->Error/Cannot open config file|423->Error/Bad protocol|424->Error/Cannot use TCP port|425->Error/Cannot lookup service|430->Error/EagleLAN cannot lookup firewall hostname|431->Error/EagleLAN cannot read firewall location|432->Error/Bad hostname|433->Error/Cannot connect to host|434->Error/Error reading config file|435->Error/Cannot execute service to read config file|440->Error/EagleLAN contact failed|441->Error/Parameter error|442->Error/VPN: Could not attach to data link driver|444->Error/Error in password file|445->Error/Cannot read password file|446->Error/No entry for host in password file|450->Error/Management of service failed|451->Error/Bad port in config file|452->Error/Cannot lookup proxy name|454->Error/Cannot open file|455->Error/Child process exited under abnormal conditions|456->Error/HTTPS service not supported|457->Error/Application error|501->Alert/Suspicious activity monitor threshold triggered|502->Alert/Ethernet address mismatch for host|503->Alert/Reverse address doesn\\'t match for host|504->Alert/Unknown entity connected to readeagle|505->Alert/Unauthorized process killed|506->Alert/Unauthorized user logged off|510->Alert/Incorrect data checksum|511->Alert/Incorrect challenge|512->Alert/Unauthorized remote connect attempt|513->Alert/Saved SMTP trace file|514->Alert/Unauthorized protocol|515->Alert/User attempted to connect to control port|516->Alert/DNSd error|523->Alert/Hostile Java applet blocked by SurfinGate|524->Alert/Total allowed logging space low, pausing logging|601->Critical/Child process died unexpectedly|602->Critical/Child process returned an unexpected error|603->Critical/Fork failed|604->Critical/Bad message priority|605->Critical/Cannot execute service|606->Critical/Failed to notify|607->Critical/Daemon exited on signal|609->Critical/Syslog daemon not running|610->Critical/Internal error|611->Critical/User count limit reached|612->Critical/Service error|701->Emergency/Cannot allocate memory|702->Emergency/Quitting because of config errors|704->Emergency/Expriation date reached|705->Emergency/Invalid license key|706->Emergency/Module not licensed|707->Emergency/Service not installed|708->Emergency/Service is corrupt'); '';" # Extract the source hostname from the src field 1 = "if (matches_regular_expression(src, '^([0-9.]+)/([0-9]+)')) then source_ip = $1; source_port = $2;" # Extract the destination hostname from the dst field 2 = "if (matches_regular_expression(dst, '^([0-9.]+)/([0-9]+)')) then destination_ip = $1; destination_port = $2;" remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(arg, '?')) then arg = substr(arg, 0, index(arg, '?') + 1) . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(arg, '^([^:]+://[^/]+/)')) then arg = $1 . '(omitted)'" } # simplify_url strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then arg = substr(arg, 0, last_index(arg, '/') + 1) . '(nonpage)';" } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'hits = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "arg" sessions_visitor_id_field = "source_ip" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { hits = { label = "$lang_stats.field_labels.hits" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # hits page_views = { label = "$lang_stats.field_labels.page_views" default = true requires_log_field = false type = "int" display_format_type = "integer" } # page_views visitors = { label = "$lang_stats.field_labels.visitors" default = false requires_log_field = true log_field = "source_ip" type = "unique" display_format_type = "integer" } # visitors sent = { label = "$lang_stats.field_labels.sent" default = false requires_log_field = true log_field = "sent" type = "float" display_format_type = "bandwidth" } # sent rcvd = { label = "$lang_stats.field_labels.rcvd" default = false requires_log_field = true log_field = "rcvd" type = "float" display_format_type = "bandwidth" } # rcvd } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_ip = true source_port = true destination_ip = true destination_port = true server = true proxy = true user = true arg = true op = true id = true proto = true result = true rule = true code = true } # report_groups } # create_profile_wizard_options not_supported = { } # not_supported } # raptor